Anatomy of a Breach

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

> series: anatomy_of_a_breach —— part: 184 —— target: att —— records: 73,000,000 —— data: ssns_passcodes —— original_breach: ~2019<span class="cursor-blink">_</span>_

Hedgehog Security 30 April 2024 12 min read
data-breach att 73-million ssn dark-web delayed-disclosure passcodes series
Breach #184

73 million records. SSNs. Cracked passcodes. From a breach five years ago that AT&T denied.

In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data included names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes. Security researchers quickly demonstrated that the encrypted passcodes — four-digit PINs used for account verification — could be easily cracked, enabling account takeover.

The data appeared to originate from a breach dating to approximately 2019. A hacker had claimed to have the data in 2021, but AT&T denied at the time that it had originated from its systems. The 2024 publication — with the full dataset freely available — forced AT&T to acknowledge the breach, reset all affected customers' passcodes, and notify 73 million individuals. The case paralleled Yahoo's delayed disclosure (2016) and Uber's cover-up (2017): denial does not make a breach disappear — it simply delays the reckoning.

Denial and Delay
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Denied in 2021. Confirmed in 2024. 73 million people waited three years to be told.

Five Years from Breach to Disclosure
The data appears to have been stolen around 2019, claimed in 2021, and confirmed in 2024 — a five-year gap. Under GDPR, breaches must be disclosed within 72 hours. <a href="https://www.socinabox.co.uk">SOC in a Box</a> enables prompt detection supporting timely disclosure. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides incident response including regulatory notification guidance.
Encrypted Passcodes Easily Cracked
AT&T's four-digit account passcodes were encrypted but trivially crackable — a four-digit PIN has only 10,000 possible combinations. Weak encryption of short values provides negligible protection. Our <a href="/penetration-testing/web-application">application testing</a> assesses credential storage strength.
SSNs Exposed — Again
The exposure of Social Security numbers enables long-term identity theft — the same consequence documented from <a href="/blog/anatomy-of-a-breach-equifax">Equifax</a> (147M, 2017) and <a href="/blog/anatomy-of-a-breach-opm">OPM</a> (21.5M, 2015). SSNs cannot be changed, making their exposure permanent.
Stolen Data Eventually Surfaces
Data stolen in 2019 was published in 2024 — proving that stolen data does not disappear, it circulates and eventually becomes public. <a href="https://www.socinabox.co.uk/blog/what-is-the-dark-web-business-guide">Dark web monitoring</a> through <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects stolen data as it circulates, enabling response before mass publication.
Lessons

Stolen data surfaces. Denial delays the inevitable. Disclose, don't deny.

The AT&T case proved that denying a breach does not prevent the data from eventually surfacing — it simply delays notification to affected individuals and compounds the reputational damage when the truth emerges. For UK organisations, GDPR mandates 72-hour disclosure. Cyber Essentials establishes security controls. SOC in a Box detects breaches promptly. Our penetration testing validates credential security. And UK Cyber Defence provides incident response that enables honest, timely disclosure.

Timely Disclosure

AT&T denied a breach in 2021. In 2024, 73 million records proved them wrong. Is your disclosure process ready?

<a href="https://www.socinabox.co.uk">SOC in a Box</a> enables prompt detection. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> manages disclosure. <a href="/cyber-essentials">Cyber Essentials</a> provides the baseline.

Commission a Security Assessment Next: Snowflake Campaign
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 August 2021

Anatomy of a Breach: T-Mobile — 40 Million Records Including Social Security Numbers in the Company's Worst Breach Yet

Breach #152. In August 2021, T-Mobile US disclosed its most severe data breach to date: approximately 40 million records of former and prospective customers — including names, dates of birth, Social Security numbers, and driver's licence numbers — had been stolen, along with personal data from an additional 7.8 million current postpaid customers. The attacker, a 21-year-old American, claimed to have accessed T-Mobile's systems through an unprotected router and exploited weak security to access a database containing over 100 million records. T-Mobile ultimately agreed to a $500 million settlement. It was the company's fifth documented breach in this series.

data-breach t-mobile
12 min read
Anatomy of a Breach 28 February 2019

Anatomy of a Breach: 620 Million Accounts from 16 Hacked Sites — The Dark Web Supermarket

Breach #122. In February 2019, a hacker operating under the alias 'gnosticplayers' listed 620 million accounts stolen from 16 websites for sale on the Dream Market dark web marketplace for less than $20,000 in Bitcoin. The affected sites included Dubsmash (162M), MyFitnessPal (150M), MyHeritage (92M), ShareThis (41M), Animoto (25M), and others. Within weeks, the same hacker added further batches — ultimately offering over 1 billion accounts from 44 companies. The sales demonstrated the industrialisation of breach data commerce.

data-breach gnosticplayers
12 min read
Anatomy of a Breach 30 September 2017

Anatomy of a Breach: Equifax — 147 Million Americans Exposed Through an Unpatched Apache Struts Vulnerability

Breach #105. In September 2017, Equifax — one of the three major US credit reporting agencies — disclosed that attackers had exploited a known Apache Struts vulnerability (CVE-2017-5638) to access the personal data of approximately 147 million Americans, including names, Social Security numbers, dates of birth, addresses, and driver's licence numbers. The Struts patch had been available for two months before the breach. Equifax's CEO, CIO, and CSO all departed. The company ultimately agreed to a $700 million settlement. The breach that proved credit reporting agencies — custodians of the most sensitive financial data — could not protect the data they demanded citizens provide.

data-breach equifax
14 min read
All Posts Get in Touch